6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1

General

Target

6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe
Size

172KB
MD5

041608049bd1953a01bfdcc668a38230
SHA1

5fb773836da584f53d41145c73fed6951d2c91ee
SHA256

6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1
SHA512

c7f94d825290328293c027289bf8d8dcdf372471a5bb5bb0f678ee886344012b6c8db157cc69bd6024776023afb5ea06c2ee2d9a1f855c56159b6abbe9efcce9
SSDEEP

3072:JBAp5XhKpN4eOyVTGfhEClj8jTk+0hidxC:MbXE9OiTGfhEClq94

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1592	WScript.exe
4	1592	WScript.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WScript.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\hiuds\myson\sk.txt	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe
File opened for modification	C:\Program Files (x86)\hiuds\myson\pl.txt	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe
File opened for modification	C:\Program Files (x86)\hiuds\myson\gl.bat	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe
File opened for modification	C:\Program Files (x86)\hiuds\myson\gk.vbs	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe
File opened for modification	C:\Program Files (x86)\hiuds\myson\gj.vbs	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1732	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	28
PID 1392 wrote to memory of 1732	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	28
PID 1392 wrote to memory of 1732	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	28
PID 1392 wrote to memory of 1732	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	28
PID 1392 wrote to memory of 1592	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	30
PID 1392 wrote to memory of 1592	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	30
PID 1392 wrote to memory of 1592	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	30
PID 1392 wrote to memory of 1592	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	30
PID 1392 wrote to memory of 1412	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	31
PID 1392 wrote to memory of 1412	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	31
PID 1392 wrote to memory of 1412	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	31
PID 1392 wrote to memory of 1412	1392	6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe	31

C:\Users\Admin\AppData\Local\Temp\6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe
"C:\Users\Admin\AppData\Local\Temp\6c2c8952b7e9f86b5eb6bfdecd0560d8a236781ad47cbe3dfed24facd0e9cfe1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\hiuds\myson\gl.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hiuds\myson\gk.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:1592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\hiuds\myson\gj.vbs"
  2⤵
  - Drops file in Drivers directory
  PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\hiuds\myson\gj.vbs

Filesize
685B

MD5
e42be130bd12582326c7cf128c150c76

SHA1
f235bf367c1cc0390871350372885fc36b27ad95

SHA256
edb7d3e4fde2ecbdcc04a9a54b8159d3091990c25cc16f12d65cdcc0a5d79575

SHA512
9e6a552a719cb274dc21c798e6332e37b6b8056b5368054dfad959a2110915cd381f067731ca5edd7a193d3aaefdef8fc87e5f022799f65c4402ebd8b224dfbb

Download Submit
C:\Program Files (x86)\hiuds\myson\gk.vbs

Filesize
457B

MD5
313f380534d54ff95e53b82794c7e700

SHA1
edcd30e85c06094409ad2441bea6fb0c3b00b984

SHA256
01dd0a981e4306504562bab6177e3e27e2b52b736cadd54d82160750fe1d9c44

SHA512
f3ddb424f15482da47259ce695ea730e39f99c292495e7eb94d8cf66a59cc4102cfe558bc1708ed8ef50f36caebcc8048fc581083f4c01b9f41f30eaafd7afef

Download Submit
C:\Program Files (x86)\hiuds\myson\gl.bat

Filesize
3KB

MD5
80291d65d5fcc1db51194a263a6b5924

SHA1
920d8de811d2ecae6d3d3621dc8e8857429f1eb5

SHA256
bbf6cf4618352c29e151ede0e7a495a639bdad179b381e772510da3f1fc17b41

SHA512
d59d92859f279ba47b2ca7443eaab4733493688a1307b56e3f3926d37a5f0a1ac3ec701b4a67b3a081680c7ff3db7c2e62aac1aa866f1c4b4b4471db27438eb8

Download Submit
C:\Program Files (x86)\hiuds\myson\pl.txt

Filesize
1B

MD5
fc1262746424402278e88f6c1f02f581

SHA1
77ac341feebeb7c0a7ff8f9c6540531500693bac

SHA256
94455e3ed9f716bea425ef99b51fae47128769a1a0cd04244221e4e14631ab83

SHA512
f9cd8ac2f900da287babe09ec5a017506809531fa60d273a75eb2d5c7d9ad2d7596b4deb3dfd01638295e06a572c306fc0014dd36def8aa6c72de426a9bacff6

Download Submit
C:\Program Files (x86)\hiuds\myson\sk.txt

Filesize
5B

MD5
848c8e8cef933a34d7007e750f87ba3c

SHA1
39391fab056012c361bed2a536c864c920eaf83a

SHA256
6fa5d6edb63215a49b1468d46bf5878b2e5d29d96fb2e796cd94d654f1d7ef20

SHA512
d2134c1d80398b2b38f0bd9ea3ce737700ac9f079575d4b3ddb416e6b08c9cd1213aebacae9a0e8e531349b43f325c330a327ded644bc4d787197556f59cd03d

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
b44c1850cc5fe30dbc8267e51dc5d7fd

SHA1
776b049656793e32e0e63719ae57fedfa29cc2a5

SHA256
4532f88845e07e622ccd772cf1ccf70425d310b55a764469fd691a878b00929a

SHA512
3230ba2648d501d153ffa30bb78f7e6c85b66e55aeef4c1ae6084ebe5e1ca5c231252c41ce448f7f595e065361bf6fd97e336c562dfa2664e5b13a1d55df171b

Download Submit
memory/1392-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing